9:59 a.m.
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
Hello all,
I'm trying to get virsh (and virt-manager) to talk to a remote libvirt
instance. I cannot for the life of me figure out how to tell either
tool where to find client or CA certificates. Do they *really* need
to access the ones in /etc/pki? In particular, the client seems to
want to read the *server's* private key, which for obvious reasons is
only readable by root.
I feel like I must be missing something obvious...if someone can point
me towards a solution I would really appreciate it. Thanks!
If it's relevant, I'm running everything under Fedora 13 right now, so
that means libvirt-0.8.2-1.fc13.x86_64 and
qemu-kvm-0.12.3-8.fc13.x86_64.
This is more a libvirt question, so CC-ing libvirt-users.
- Cole
1:29 p.m.
New subject: [libvirt-users] [virt-tools-list] Client certificate paths?
On 08/20/2010 12:59 AM, Cole Robinson wrote:
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
> Hello all,
>
> I'm trying to get virsh (and virt-manager) to talk to a remote libvirt
> instance. I cannot for the life of me figure out how to tell either
> tool where to find client or CA certificates. Do they *really* need
> to access the ones in /etc/pki? In particular, the client seems to
> want to read the *server's* private key, which for obvious reasons is
> only readable by root.
>
> I feel like I must be missing something obvious...if someone can point
> me towards a solution I would really appreciate it. Thanks!
Hi Lars,
There wasn't a mention a which type of certificates you're trying to
use, so I'll assume TLS, as that's what /etc/pki is for.
virsh
*****
With virsh, it is hard coded to use a server wide path for its client
certificate. (found this out yesterday) It's been mentioned
there's an RFE for having that configurable, but it's not something I've
looked into.
$ ls -la /etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/private/clientkey.pem
-rw-r--r-- 1 root root 1220 Aug 19 02:34 /etc/pki/libvirt/clientcert.pem
-rw-r--r-- 1 root root 1675 Aug 19 02:32
/etc/pki/libvirt/private/clientkey.pem
$
It also needs the CA Certificate (not the key) here:
/etc/pki/CA/cacert.pem
$ sudo ls -la /etc/pki/CA/cacert.pem
-rw-r--r-- 1 root root 1070 Aug 19 01:06 /etc/pki/CA/cacert.pem
$
Real life example of it working
*******************************
$ virsh -c qemu://host1/system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
(the qemu:// bit works there without saying qemu+tls://, because TLS
is the default)
virt-manager
************
virt-manager though, uses the client certificate in a different spot.
It has them per user, and they're stored in:
~/.pki/libvirt-vnc/clientcert.pem
~/.pki/libvirt-vnc/private/clientkey.pem
It needs the CA Certificate in:
~/.pki/CA/ca-cert.pem
$ ls -la ~/.pki/libvirt-vnc/clientcert.pem
~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem
$ ls -la ~/.pki/libvirt-vnc/clientcert.pem
~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem
-rw-r--r-- 1 jc jc 1070 Aug 19 20:48
/export/backend/home/jc/.pki/CA/ca-cert.pem
-rw-r--r-- 1 jc jc 1220 Aug 19 20:48
/export/backend/home/jc/.pki/libvirt-vnc/clientcert.pem
lrwxrwxrwx 1 jc jc 16 Aug 19 21:14
/export/backend/home/jc/.pki/libvirt-vnc/private/clientkey.pem ->
../clientkey.pem
$
You'll be able to see that pointing to the keys in my home dir.
Something you'll notice is that in this instance, my clientkey.pem is
itself NOT in the "private" sub-dir. It's in a folder below that, with
a link in the private sub-dir, which is good enough.
I have it this way only because I created it in a different spot
initially when trying to get it to work, and it turns out that
virt-viewer (another VNC viewing thing) needs it there instead. i.e. in
the directory below "private".
Anyway, the above works. :)
If you have troubles with the TLS key generation, the docs on the
libvirt.org site work:
http://libvirt.org/remote.html
And the paths for virt-manager are given on the last part of this page:
http://virt-manager.org/page/RemoteTLS#virt-manager.2Fvirsh.2Fvirt-viewer...
> If it's relevant, I'm running everything under Fedora 13
right now, so
> that means libvirt-0.8.2-1.fc13.x86_64 and
> qemu-kvm-0.12.3-8.fc13.x86_64.
Similar. All of the above is on an F13 workstation as well.
All good now? :)
Regards and best wishes,
Justin Clift
--
Salasaga - Open Source eLearning IDE
http://www.salasaga.org
8:39 p.m.
New subject: [libvirt-users] VNC Client certificate paths
Hi all,
(Following up on this further)
There's not that much clear documentation around for the paths required
for using TLS with various VNC clients.
Therefore, after a liberal use of strace to find out what clients really
do look for, there is a first set of info on the libvirt.org wiki:
http://wiki.libvirt.org/page/VNCTLSSetup
It's more in depth than the previous mailing list reply, covering:
* Vinagre
* Virt Manager
* Virt Viewer
* Gtk-VNC
Lars, it should help you get up and running with the VNC client side of
things if you're still having troubles. (?)
Cole (and others too), if you have time, all
feedback/pointers/thoughts/etc are welcome. :)
Regards and best wishes,
Justin Clift
5187
days inactive
5190
days old
2 comments
3 participants
participants (3)
-
Cole Robinson -
Justin Clift -
Justin Clift